getting auth failure on salt-cloud command
237 views
Skip to first unread message
Tim Dunphy
Sep 13, 2016, 2:23:11 PM9/13/16
to Salt-users
Hey all,
I'm getting an auth failure on salt-cloud command
[root@salt:~] #salt-cloud -p base_ec2_public ops.example.com
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided access credentials', 'Code': 'AuthFailure'}}, 'RequestID': '3a5e33e2-d1a9-44fa-983c-26691d4f8ee7'}
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided access credentials', 'Code': 'AuthFailure'}}, 'RequestID': '163079c6-2b79-4301-80c8-77ba0d7c896d'}
[ERROR ] There was a profile error: string indices must be integers, not str
This is my /etc/salt/cloud.providers.d/aws.conf file
----
my-ec2-us-east-public-ips:
# Set up the location of the salt master
#
minion:
master: salt.example.com
# Set up grains information, which will be common for all nodes
# using this provider
grains:
node_type: broker
release: 1.0.1
# Specify whether to use public or private IP for deploy script.
#
# Valid options are:
# private_ips - The salt-cloud command is run inside the EC2
# public_ips - The salt-cloud command is run outside of EC2
#
ssh_interface: public_ips
# Optionally configure the Windows credential validation number of
# retries and delay between retries. This defaults to 10 retries
# with a one second delay betwee retries
win_deploy_auth_retries: 10
win_deploy_auth_retry_delay: 1
# Set the EC2 access credentials (see below)
#
id: "REDACTED"
key: "REDACTED"
# Make sure this key is owned by root with permissions 0400.
#
private_key: /etc/salt/my_test_key.pem
keyname: my_test_key
securitygroup: default
# Optionally configure default region
# Use salt-cloud --list-locations <provider> to obtain valid regions
#
location: us-east-1
availability_zone: us-east-1a
#
ssh_username: ec2-user
# Optionally add an IAM profile
iam_profile: 'arn:aws:iam::REDACTED:user/bluethundr'
driver: ec2
my-ec2-us-east-private-ips:
# Set up the location of the salt master
#
minion:
master: salt.example.com
# Specify whether to use public or private IP for deploy script.
#
# Valid options are:
# private_ips - The salt-master is also hosted with EC2
# public_ips - The salt-master is hosted outside of EC2
#
ssh_interface: private_ips
# Optionally configure the Windows credential validation number of
# retries and delay between retries. This defaults to 10 retries
# with a one second delay betwee retries
win_deploy_auth_retries: 10
win_deploy_auth_retry_delay: 1
# Set the EC2 access credentials (see below)
#
id: "REDACTED"
key: "REDACTED"
# Make sure this key is owned by root with permissions 0400.
#
private_key: /etc/salt/my_test_key.pem
keyname: my_test_key
# This one should NOT be specified if VPC was not configured in AWS to be
# the default. It might cause an error message which says that network
# interfaces and an instance-level security groups may not be specified
# on the same request.
#
securitygroup: default
# Optionally configure default region
#
location: us-east-1
availability_zone: us-east-1a
# Configure which user to use to run the deploy script. This setting is
# dependent upon the AMI that is used to deploy. It is usually safer to
# configure this individually in a profile, than globally. Typical users
# are:
#
# Amazon Linux -> ec2-user
# RHEL -> ec2-user
# CentOS -> ec2-user
# Ubuntu -> ubuntu
#
ssh_username: ec2-user
# Optionally add an IAM profile
iam_profile: 'arn:aws:iam::REDACTED:user/bluethundr'
driver: ec2
And this is my /etc/salt/cloud.profiles.d/aws_pofiles.conf
base_ec2:
provider: my-ec2-us-east-public-ips
image: ami-869a9cee
size: t2.micro
ssh_username: ec2-user
base_ec2_private:/et
provider: my-ec2-us-east-private-ips
image: ami-869a9cee
size: t2.micro
ssh_username: ec2-user
base_ec2_public:
provider: my-ec2-us-east-public-ips
image: ami-e565ba8c
size: t2.micro
ssh_username: ec2-user
base_ec2_db:
provider: my-ec2-us-east-public-ips
image: ami-e565ba8c
size: m1.xlarge
ssh_username: ec2-user
volumes:
- { size: 10, device: /dev/sdf }
- { size: 10, device: /dev/sdg, type: io1, iops: 1000 }
- { size: 10, device: /dev/sdh, type: io1, iops: 1000 }
- { size: 10, device: /dev/sdi, tags: {"Environment": "production"} }
# optionally add tags to profile:
tag: {'Environment': 'production', 'Role': 'database'}
# force grains to sync after install
sync_after_install: grains
base_ec2_vpc:
provider: my-ec2-us-east-public-ips
image: ami-a73264ce
size: m1.xlarge
ssh_username: ec2-user
script: /etc/salt/cloud.deploy.d/user_data.sh
network_interfaces:
- DeviceIndex: 0
PrivateIpAddresses:
- Primary: True
#auto assign public ip (not EIP)
AssociatePublicIpAddress: True
SubnetId: subnet-813d4bbf
SecurityGroupId:
- sg-750af413
del_root_vol_on_destroy: True
del_all_vol_on_destroy: True
volumes:
- { size: 10, device: /dev/sdf }
- { size: 10, device: /dev/sdg, type: io1, iops: 1000 }
- { size: 10, device: /dev/sdh, type: io1, iops: 1000 }
tag: {'Environment': 'production', 'Role': 'database'}
sync_after_install: grains
The user who's keys I'm using in the config file has AdministratorAccess setup in IAM.
Can someone take a stab and let me know why I'm getting auth failures? The redacted AWS keys were taken straight from the AWS interface and copied into the cloud.providers file.
Thanks,
Tim
Tim Dunphy
Sep 13, 2016, 3:33:14 PM9/13/16
to Salt-users
Here's some debug output of the command I'm trying to get working:
[root@salt:~] #salt-cloud -p base_ec2_public ops.example.com -l debug
[DEBUG ] Reading configuration from /etc/salt/cloud
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: salt.example.com
[DEBUG ] Missing configuration file: /etc/salt/cloud.providers
[DEBUG ] Including configuration from '/etc/salt/cloud.providers.d/aws.conf'
[DEBUG ] Reading configuration from /etc/salt/cloud.providers.d/aws.conf
[DEBUG ] Missing configuration file: /etc/salt/cloud.profiles
[DEBUG ] Including configuration from '/etc/salt/cloud.profiles.d/aws_profiles.conf'
[DEBUG ] Reading configuration from /etc/salt/cloud.profiles.d/aws_profiles.conf
[DEBUG ] Configuration file path: /etc/salt/cloud
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[INFO ] salt-cloud starting
[DEBUG ] Could not LazyLoad parallels.avail_sizes: 'parallels' __virtual__ returned False
[DEBUG ] LazyLoaded parallels.avail_locations
[DEBUG ] LazyLoaded proxmox.avail_sizes
[DEBUG ] Could not LazyLoad saltify.destroy: 'saltify.destroy' is not available.
[DEBUG ] Could not LazyLoad saltify.avail_sizes: 'saltify.avail_sizes' is not available.
[DEBUG ] Could not LazyLoad saltify.avail_images: 'saltify.avail_images' is not available.
[DEBUG ] Could not LazyLoad saltify.avail_locations: 'saltify.avail_locations' is not available.
[DEBUG ] LazyLoaded rackspace.reboot
[DEBUG ] LazyLoaded openstack.list_locations
[DEBUG ] LazyLoaded rackspace.list_locations
[DEBUG ] Could not LazyLoad parallels.avail_sizes: 'parallels' __virtual__ returned False
[DEBUG ] LazyLoaded parallels.avail_locations
[DEBUG ] LazyLoaded proxmox.avail_sizes
[DEBUG ] Could not LazyLoad saltify.destroy: 'saltify.destroy' is not available.
[DEBUG ] Could not LazyLoad saltify.avail_sizes: 'saltify.avail_sizes' is not available.
[DEBUG ] Could not LazyLoad saltify.avail_images: 'saltify.avail_images' is not available.
[DEBUG ] Could not LazyLoad saltify.avail_locations: 'saltify.avail_locations' is not available.
[DEBUG ] LazyLoaded rackspace.reboot
[DEBUG ] LazyLoaded openstack.list_locations
[DEBUG ] LazyLoaded rackspace.list_locations
[DEBUG ] Using AWS endpoint: ec2.us-east-1.amazonaws.com
[DEBUG ] AWS Request: https://ec2.us-east-1.amazonaws.com/?Action=DescribeInstances&Version=2014-10-01
[DEBUG ] AWS Response Status Code: 401
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided acce
ss credentials', 'Code': 'AuthFailure'}}, 'RequestID': '0f483305-6cb2-4c09-ae2f-ec804fd3beea'}
[DEBUG ] Failed to execute 'ec2.list_nodes()' while querying for running nodes: An error occurred while listing nodes: AWS was not able to validate the provided a
ccess credentials
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 2383, in run_parallel_map_providers_query
cloud.clouds[data['fun']]()
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 3496, in list_nodes
nodes = list_nodes_full(get_location())
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 3346, in list_nodes_full
return _list_nodes_full(location)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 3436, in _list_nodes_full
instances['error']['Errors']['Error']['Message']
SaltCloudSystemExit: An error occurred while listing nodes: AWS was not able to validate the provided access credentials
[DEBUG ] Generating minion keys for 'ops.jokefire.com'
[DEBUG ] LazyLoaded cloud.fire_event
[DEBUG ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Sending event - data = {'profile': 'base_ec2_public', 'event': 'starting create', '_stamp': '2016-09-13T19:24:13.555913', 'name': 'ops.jokefire.com', 'pr
ovider': 'my-ec2-us-east-public-ips:ec2'}
[INFO ] Creating Cloud VM ops.jokefire.com in us-east-1
[DEBUG ] Using AWS endpoint: ec2.us-east-1.amazonaws.com
[DEBUG ] AWS Request: https://ec2.us-east-1.amazonaws.com/?Action=DescribeAvailabilityZones&Filter.0.Name=region-name&Filter.0.Value.0=us-east-1&Version=2014-10-0
1
[DEBUG ] AWS Response Status Code: 401
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided acce
ss credentials', 'Code': 'AuthFailure'}}, 'RequestID': 'e9912cf2-2e9b-496f-b607-4b9bae8b8938'}
[ERROR ] There was a profile error: string indices must be integers, not str
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/cloud/cli.py", line 284, in run
self.config.get('names')
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 1454, in run_profile
ret[name] = self.create(vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 1284, in create
output = self.clouds[func](vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 2512, in create
data, vm_ = request_instance(vm_, location)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 1742, in request_instance
az_ = get_availability_zone(vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 1094, in get_availability_zone
zones = _list_availability_zones(vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 1242, in _list_availability_zones
ret[zone['zoneName']] = zone['zoneState']
TypeError: string indices must be integers, not str
It'd be great to have some suggestions.
Thanks
Charles McLaughlin
Sep 14, 2016, 12:43:09 PM9/14/16
to Salt-users
Try removing the iam_profile from your /etc/salt/cloud.providers.d/aws.conf to see if that's the problem.
The "user" token in this looks suspicious to me:
iam_profile: 'arn:aws:iam::REDACTED:user/bluethundr'
Generally I expect to see something like this:
iam_profile: 'arn:aws:iam::$ACCOUNT_NUM:role/$ROLE_NAME'
Also double check the IAM permissions of the salt-cloud user. It needs more than EC2 admin privs (not exactly sure what your policy is)... it needs iam:PassRole too so add that if you don't already have it there. In case that's the problem, this could help:
Tim Dunphy
Sep 14, 2016, 5:10:41 PM9/14/16
to salt-...@googlegroups.com
Hi,
Thanks for your response!
Answers in-line
Try removing the iam_profile from your /etc/salt/cloud.providers.d/aws.conf to see if that's the problem.
OK, tried that. When commenting out just the iam_profile line in aws.conf I get the same response:
[root@salt:~] #grep iam_profile /etc/salt/cloud.providers.d/aws.conf
#iam_profile: 'arn:aws:iam::840405578871:instance-profile/jf-admin-role'
#iam_profile: 'arn:aws:iam::840405578871:instance-profile/jf-admin-role'
[root@salt:~] #salt-cloud -p base_ec2_public ops.example.com -l debug
[DEBUG ] Reading configuration from /etc/salt/cloud
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: salt.example.com
[DEBUG ] Missing configuration file: /etc/salt/cloud.providers
[DEBUG ] Including configuration from '/etc/salt/cloud.providers.d/aws.conf'
[DEBUG ] Reading configuration from /etc/salt/cloud.providers.d/aws.conf
/usr/lib/python2.7/site-packages/salt/config/__init__.py:2580: DeprecationWarning: The term 'provider' is being deprecated in favor of 'driver'. Support for 'provid
er' will be removed in Salt Nitrogen. Please convert your cloud provider configuration files to use 'driver'.
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided acce
ss credentials', 'Code': 'AuthFailure'}}, 'RequestID': 'bedafac8-0c8f-4347-9adf-e24dff1e70d9'}
[DEBUG ] Failed to execute 'ec2.list_nodes()' while querying for running nodes: An error occurred while listing nodes: AWS was not able to validate the provided a
ccess credentials
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 2383, in run_parallel_map_providers_query
cloud.clouds[data['fun']]()
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 3496, in list_nodes
nodes = list_nodes_full(get_location())
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 3346, in list_nodes_full
return _list_nodes_full(location)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 3436, in _list_nodes_full
instances['error']['Errors']['Error']['Message']
SaltCloudSystemExit: An error occurred while listing nodes: AWS was not able to validate the provided access credentials
[DEBUG ] Generating minion keys for 'ops.example.com'
[DEBUG ] LazyLoaded cloud.fire_event
[DEBUG ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Sending event - data = {'profile': 'base_ec2_public', 'event': 'starting create', '_stamp': '2016-09-14T20:54:28.160380', 'name': 'ops.example.com', 'pr
ovider': 'my-ec2-us-east-public-ips:ec2'}
[INFO ] Creating Cloud VM ops.example.com in us-east-1
[DEBUG ] Using AWS endpoint: ec2.us-east-1.amazonaws.com
[DEBUG ] AWS Request: https://ec2.us-east-1.amazonaws.com/?Action=DescribeAvailabilityZones&Filter.0.Name=region-name&Filter.0.Value.0=us-east-1&Version=2014-10-0
1
[DEBUG ] AWS Response Status Code: 401
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided acce
ss credentials', 'Code': 'AuthFailure'}}, 'RequestID': '7be0fa92-ed24-4fb5-b542-59995812ca42'}
[ERROR ] There was a profile error: string indices must be integers, not str
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/cloud/cli.py", line 284, in run
self.config.get('names')
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 1454, in run_profile
ret[name] = self.create(vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 1284, in create
output = self.clouds[func](vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 2512, in create
data, vm_ = request_instance(vm_, location)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 1742, in request_instance
az_ = get_availability_zone(vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 1094, in get_availability_zone
zones = _list_availability_zones(vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 1242, in _list_availability_zones
ret[zone['zoneName']] = zone['zoneState']
TypeError: string indices must be integers, not str
The "user" token in this looks suspicious to me:
iam_profile: 'arn:aws:iam::REDACTED:user/bluethundr'
Generally I expect to see something like this:
iam_profile: 'arn:aws:iam::$ACCOUNT_NUM:role/$ROLE_NAME'
I tried these accounts in the iam_profile as well:
iam_profile: arn:aws:iam::$ACCOUNT_NUM:role/jf-admin-role
arn:aws:iam::$ACCOUNT_NUM:instance-profile/jf-admin-role
With no change in result. I still get the same error as in the debug output above.
Also double check the IAM permissions of the salt-cloud user. It needs more than EC2 admin privs (not exactly sure what your policy is)... it needs iam:PassRole too so add that if you don't already have it there. In case that's the problem, this could help:
https://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission
The salt-cloud user has full AdministratorAccess. Which has this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
So that user should have access to absolutely everything. So I really don't know why I'm still getting access denied errors when I try to provision to EC2 using salt.
Really appreciate your help. Looking forward to getting this solved!
Tim
--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/ewHriJLpKis/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
tim.h...@gmail.com
Sep 14, 2016, 6:23:14 PM9/14/16
to Salt-users
Hi Tim,
The response from AWS is a 401, not a 403, which means it's not a permissions/policy issue, rather it really doesn't like your credentials. This could be due to a number of things - copy/paste error, API keys 'inactive', clock isn't synchronized etc. I'd try using them via the AWS CLI just to confirm they work. If they do then.... I'm stumped too!
cheers,
T2
The response from AWS is a 401, not a 403, which means it's not a permissions/policy issue, rather it really doesn't like your credentials. This could be due to a number of things - copy/paste error, API keys 'inactive', clock isn't synchronized etc. I'd try using them via the AWS CLI just to confirm they work. If they do then.... I'm stumped too!
cheers,
T2
Tim Dunphy
Sep 19, 2016, 10:33:17 AM9/19/16
to salt-...@googlegroups.com
Hey guys,
I made sure that the clock was synced. And checked the credentials using the aws cli. And for some reason the aws ec2 commands are getting auth errors. But the aws iam commands are not. The iam commands are working fine.
I talk about that problem in this thread if you're curious:
Thanks
--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/ewHriJLpKis/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tim Dunphy
Sep 21, 2016, 12:07:41 PM9/21/16
to salt-...@googlegroups.com
Hey all,
I was able to get the time setup correctly on my salt master. So that now the aws ec2 commands work!
[root@salt:~] #aws ec2 describe-addresses --profile=jf-ops
ADDRESSES eipalloc-14327271 vpc xx.xx.xx.xx
For example. But now when I try to run the salt-cloud provision command this is the error I get back:
salt-cloud -p base_ec2_public ops.example.com
/usr/lib/python2.7/site-packages/salt/config/__init__.py:2580: DeprecationWarning: The term 'provider' is being deprecated in favor of 'driver'. Support for 'provider' will be removed in Salt Nitrogen. Please convert your cloud provider configuration files to use 'driver'.
[ERROR ] AWS Response Status Code and Error: [400 400 Client Error: Bad Request] {'Errors': {'Error': {'Message': 'The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.', 'Code': 'VPCResourceNotSpecified'}}, 'RequestID': '9971ea5c-176a-4c4b-bf7f-34528bd764e1'}
[ERROR ] Error requesting instance: Errors
Error: There was a profile error: Failed to deploy VM
Here's my latest provider and profile configs:
Provider:
grains:
node_type: broker
release: 1.0.1
ssh_interface: public_ips
win_deploy_auth_retries: 10
win_deploy_auth_retry_delay: 1
id: 'REMOVED'
key: 'REMOVED'
private_key: /etc/salt/bluethundr.pem
keyname: bluethundr
securitygroup: default
location: us-east-1
availability_zone: us-east-1a
ssh_username: ec2-user
iam_profile: 'arn:aws:iam::$ACCOUNT_NUM:instance-profile/jf-admin-role'
provider: ec2
my-ec2-us-east-private-ips:
minion:
master: salt.example.com
ssh_interface: private_ips
win_deploy_auth_retries: 10
win_deploy_auth_retry_delay: 1
id: 'REMOVED'
key: 'REMOVED'
private_key: /etc/salt/bluethundr.pem
keyname: bluethundr
securitygroup: default
location: us-east-1
availability_zone: us-east-1a
ssh_username: ec2-user
iam_profile: 'arn:aws:iam::$ACCOUNT_NUM:instance-profile/jf-admin-role'
provider: ec2
And here's my profile:
base_ec2:
keyname: salt-admin
provider: my-ec2-us-east-public-ips
image: ami-869a9cee
size: t2.micro
ssh_username: ec2-user
base_ec2_private:
provider: my-ec2-us-east-private-ips
image: ami-869a9cee
size: t2.micro
ssh_username: ec2-user
base_ec2_public:
provider: my-ec2-us-east-public-ips
image: ami-e565ba8c
size: t2.micro
ssh_username: ec2-user
base_ec2_db:
provider: my-ec2-us-east-public-ips
image: ami-e565ba8c
size: m1.xlarge
ssh_username: ec2-user
volumes:
- { size: 10, device: /dev/sdf }
- { size: 10, device: /dev/sdg, type: io1, iops: 1000 }
- { size: 10, device: /dev/sdh, type: io1, iops: 1000 }
- { size: 10, device: /dev/sdi, tags: {"Environment": "production"} }
tag: {'Environment': 'production', 'Role': 'database'}
sync_after_install: grains
base_ec2_vpc:
provider: my-ec2-us-east-public-ips
image: ami-a73264ce
size: m1.xlarge
ssh_username: ec2-user
script: /etc/salt/cloud.deploy.d/user_data.sh
network_interfaces:
- DeviceIndex: 0
PrivateIpAddresses:
- Primary: True
AssociatePublicIpAddress: True
SubnetId: subnet-813d4bbf
SecurityGroupId:
- sg-750af413
del_root_vol_on_destroy: True
del_all_vol_on_destroy: True
volumes:
- { size: 10, device: /dev/sdf }
- { size: 10, device: /dev/sdg, type: io1, iops: 1000 }
- { size: 10, device: /dev/sdh, type: io1, iops: 1000 }
tag: {'Environment': 'production', 'Role': 'database'}
sync_after_install: grains
And here's the debug output of that command:
[root@salt:~] #salt-cloud -p base_ec2_public ops.jokefire.com -l debug
[DEBUG ] Reading configuration from /etc/salt/cloud
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: salt.jokefire.com
[DEBUG ] Missing configuration file: /etc/salt/cloud.providers
[DEBUG ] Including configuration from '/etc/salt/cloud.providers.d/aws.conf'
[DEBUG ] Reading configuration from /etc/salt/cloud.providers.d/aws.conf
/usr/lib/python2.7/site-packages/salt/config/__init__.py:2580: DeprecationWarning: The term 'provider' is being deprecated in favor of 'driver'. Support for 'provider' will be removed in Salt Nitrogen. Please convert your cloud provider configuration files to use 'driver'.
[DEBUG ] AWS Response Status Code: 200
[DEBUG ] LazyLoaded cloud.cache_node_list
[DEBUG ] Generating minion keys for 'ops.jokefire.com'
[DEBUG ] LazyLoaded cloud.fire_event
[DEBUG ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Sending event - data = {'profile': 'base_ec2_public', 'event': 'starting create', '_stamp': '2016-09-21T16:06:16.255246', 'name': 'ops.jokefire.com', 'provider': 'my-ec2-us-east-public-ips:ec2'}
[INFO ] Creating Cloud VM ops.jokefire.com in us-east-1
[DEBUG ] Using AWS endpoint: ec2.us-east-1.amazonaws.com
[DEBUG ] AWS Response Status Code: 200
[DEBUG ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Sending event - data = {'event': 'requesting instance', '_stamp': '2016-09-21T16:06:16.342787', 'location': 'us-east-1', 'kwargs': {'IamInstanceProfile.Arn': 'arn:aws:iam::840405578871:instance-profile/jf-admin-role', 'SecurityGroup.1': 'default', 'ImageId': 'ami-e565ba8c', 'KeyName': 'bluethundr', 'Placement.AvailabilityZone': 'us-east-1a', 'MaxCount': 1, 'Action': 'RunInstances', 'MinCount': 1, 'InstanceType': 't2.micro'}}
[DEBUG ] Using AWS endpoint: ec2.us-east-1.amazonaws.com
[DEBUG ] AWS Response Status Code: 400
[ERROR ] AWS Response Status Code and Error: [400 400 Client Error: Bad Request] {'Errors': {'Error': {'Message': 'The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.', 'Code': 'VPCResourceNotSpecified'}}, 'RequestID': '8d16eb84-20a7-446d-aaca-18732ed5d527'}
[ERROR ] Error requesting instance: Errors
Error: There was a profile error: Failed to deploy VM
Any help would be appreciated!
Thanks,
Tim
Tim Dunphy
Sep 27, 2016, 5:51:16 PM9/27/16
to salt-...@googlegroups.com
Hey guys,
The problem was that I had to supply a subnet into the cloud profile definition. Once I did that, the host was launched into the correct VPC.
Thanks to all who tried to help!
Tim
Reply all
Reply to author
Forward
0 new messages